summaryrefslogtreecommitdiffstats
path: root/source4/auth/credentials/credentials_files.c
Commit message (Collapse)AuthorAgeFilesLines
* credentials: Split up into several subsystems.Jelmer Vernooij2010-10-111-296/+0
|
* credentials: Move code that doesn't need any external dependencies intoJelmer Vernooij2010-10-101-131/+0
| | | | credentials.c.
* s4-kerberos Move 'set key into keytab' code out of credentials.Andrew Bartlett2010-09-241-11/+3
| | | | | | | | This code never really belonged in the credentials layer, and is easier done with direct access to the ldb_message that is in secrets.ldb. Andrew Bartlett
* s4-credentials: get all attributes in cli_credentials_set_secrets()Andrew Tridgell2010-09-111-17/+1
| | | | | This ensures we get whenChanged, which is needed by the s3 winbind code to ensure we don't repeatedly try to change the password
* s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell2010-07-161-3/+3
| | | | | | | this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4:credentials Add in tracking of the password last set timeAndrew Bartlett2010-05-181-1/+10
| | | | | | | | We perhaps need a more general API here, but for now extend the credentials API to return the password last changed time that the s3compat layer will need. Andrew Bartlett
* s4:credentials Add hooks to extract a named Kerberos credentials cacheAndrew Bartlett2010-02-201-44/+48
| | | | | | | | | | | | This allows the integration of external tools that can't be linked into C or python, but need to authenticate as the local machine account. The machineaccountccache script demonstrates this, and debugging has been improved in cli_credentials_set_secrets() by passing back and error string. Andrew Bartlett
* s4:credentials Put the 'secrets.keytab' in the same directory as secrets.ldbAndrew Bartlett2009-11-021-1/+3
| | | | | | | This avoids trouble when the secrets.ldb is updated with ldbedit but an smb.conf is not specified. Andrew Bartlett
* s4:auth - fixed problem reading bind DN from secrets databaseEndi S. Dewata2009-10-161-0/+3
|
* s4:lib/tevent: rename structsStefan Metzmacher2008-12-291-3/+3
| | | | | | | | | | | | | | | | | | | | list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
* Make sure prototypes are always included, make some functions static andJelmer Vernooij2008-10-201-0/+1
| | | | remove some unused functions.
* Use common util_file code.Jelmer Vernooij2008-10-121-1/+1
|
* Fix include paths to new location of libutil.Jelmer Vernooij2008-10-111-1/+1
|
* Kill of some bogus debugs for the world who does not use the LDAP backendAndrew Bartlett2008-07-151-3/+3
| | | | (This used to be commit 5bde586bdb4a1523a62a764b9ff292a4a8cee4fe)
* Allow ldap credentials to be (optionally) stored in secrets.ldbAndrew Bartlett2008-07-151-11/+33
| | | | | | | | | | This includes a simple bind DN, or SASL credentials. The error messages are reworked as on systems without an LDAP backend, we will fail to find this record very often. Andrew Bartlett (This used to be commit 95825ae6d5e9d9846f3a7505a81ebe603826227e)
* Make up the right dependencies now that ldb depends on libeventsSimo Sorce2008-06-141-1/+2
| | | | (This used to be commit 3b8eec7ca334528cad3cdcd5e3fc5ee555d8d0e0)
* Remove event context tracking from the credentials struct.Jelmer Vernooij2008-04-171-5/+9
| | | | (This used to be commit 4d7fc946b2ec50e774689c9036423b6feef99b8e)
* Extend credentials python API to include set_machine_account.Andrew Bartlett2008-04-051-1/+1
| | | | | Andrew Bartlett (This used to be commit 88b7a3980c7be90ea0099a3ecf08ad00fa89ea1a)
* Install public header files again and include required prototypes.Jelmer Vernooij2008-04-021-7/+7
| | | | (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
* r26430: require explicit specification of loadparm context.Jelmer Vernooij2007-12-211-6/+10
| | | | (This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6)
* r26272: Remove global_loadparm in some more places.Jelmer Vernooij2007-12-211-2/+3
| | | | (This used to be commit 1ab76ecc5311fa863e5d04899b6f110899818f55)
* r26271: Remove some more uses of global_loadparm.Jelmer Vernooij2007-12-211-4/+6
| | | | (This used to be commit e9875fcd56de0748ed78d7e3c9cdb4919cd96d3c)
* r26229: Set loadparm context as opaque pointer in ldb, remove more uses of ↵Jelmer Vernooij2007-12-211-5/+6
| | | | | | global_loadparm. (This used to be commit 37d05fdc7b0e6b3211ba6ae56b1b5da30a6a392a)
* r26205: Pass loadparm_context to secrets_db_connect() rather than using ↵Jelmer Vernooij2007-12-211-1/+1
| | | | | | global context. (This used to be commit 5718b6cfee86ddfc9cf405c98c68ba848df4d9d7)
* r26003: Split up DB_WRAP, as first step in an attempt to sanitize dependencies.Jelmer Vernooij2007-12-211-1/+1
| | | | (This used to be commit 56dfcb4f2f8e74c9d8b2fe3a0df043781188a555)
* r25552: Convert to standard bool type.Jelmer Vernooij2007-10-101-16/+16
| | | | (This used to be commit b8d6b82f1248d36a0aa91a1c58d06b4f7c66d245)
* r25446: Merge some changes I made on the way home from SFO:Jelmer Vernooij2007-10-101-1/+1
| | | | | | | | 2007-09-29 More higher-level passing around of lp_ctx. 2007-09-29 Fix warning. 2007-09-29 Pass loadparm contexts on a higher level. 2007-09-29 Avoid using global loadparm context. (This used to be commit 3468952e771ab31f90b6c374ade01c5550810f42)
* r25026: Move param/param.h out of includes.hJelmer Vernooij2007-10-101-0/+1
| | | | (This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
* r24730: Allow secrets entries to be for service principals.Andrew Bartlett2007-10-101-6/+11
| | | | | Andrew Bartlett (This used to be commit 7865d10a299a84ed42de4435b7e6400d56161ac5)
* r23792: convert Samba4 to GPLv3Andrew Tridgell2007-10-101-3/+2
| | | | | | There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
* r21736: Fix the smbclient test to do something more interesting with the lastAndrew Bartlett2007-10-101-1/+1
| | | | | | | | | | | few authentication tests. Now that the tests correctly 'fail', I was able to fix the credentials subsystem to honour USER and PASSWD. To get --machine-pass working, I needed ldb to always load it's static modules, so I put this in ldb_connect(). Andrew Bartlett (This used to be commit 3430d8c072407a1c33c32229095fc9db2142b6fa)
* r21362: rename:Stefan Metzmacher2007-10-101-2/+2
| | | | | | | | | | | | "ntPwdHash" => "unicodePwd" "lmPwdHash" => "dBCSPwd" "sambaLMPwdHistory" => "lmPwdHistory" "sambaNTPwdHistory" => "ntPwdHistory" Note: you need to reprovision after this change! metze (This used to be commit dc4242c09c0402cbfdba912f82892df3153456ad)
* r21314: add more usefull debug outputStefan Metzmacher2007-10-101-6/+6
| | | | | metze (This used to be commit a246e4bbaaab6f98f50a3c28b47d2c541af7b44a)
* r21135: Instead of having hooks to update keytabs as an explicit thing, updateAndrew Bartlett2007-10-101-73/+12
| | | | | | | | | | | | | | them as a hook on ldb modify, via a module. This should allow the secrets.ldb to be edited by the admin, and to have things update in the on-disk keytab just as an in-memory keytab would. This isn't really a dsdb plugin, but I don't have any other good ideas about where to put it. Andrew Bartlett (This used to be commit 6ce557a1aff4754d2622be8f1c6695d9ee788d54)
* r19832: better prototypes for the linearization functions:Simo Sorce2007-10-101-1/+1
| | | | | | | | | - ldb_dn_get_linearized returns a const string - ldb_dn_alloc_linearized allocs astring with the linearized dn (This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
* r19831: Big ldb_dn optimization and interfaces enhancement patchSimo Sorce2007-10-101-1/+1
| | | | | | | | | | | | | | | | | This patch changes a lot of the code in ldb_dn.c, and also removes and add a number of manipulation functions around. The aim is to avoid validating a dn if not necessary as the validation code is necessarily slow. This is mainly to speed up internal operations where input is not user generated and so we can assume the DNs need no validation. The code is designed to keep the data as a string if possible. The code is not yet 100% perfect, but pass all the tests so far. A memleak is certainly present, I'll work on that next. Simo. (This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
* r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett2007-10-101-0/+1
| | | | | | | | | Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
* r19573: Move secrets.o into param/ (subsystems haven't been integrated yet).Jelmer Vernooij2007-10-101-1/+1
| | | | (This used to be commit 8143de855c0b65346b2d8e59ecdb78952927de4a)
* r17516: Change helper function names to make more clear what they are meant ↵Simo Sorce2007-10-101-10/+10
| | | | | | to do (This used to be commit ad75cf869550af66119d0293503024d41d834e02)
* r14977: more IBM checker fixesAndrew Tridgell2007-10-101-0/+1
| | | | (This used to be commit cd106509b664e9ca53419a62550b256b7e5bde3c)
* r14464: Don't include ndr_BASENAME.h files unless strictly required, insteadJelmer Vernooij2007-10-101-1/+1
| | | | | try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd)
* r14363: Remove credentials.h from the global includes.Jelmer Vernooij2007-10-101-0/+1
| | | | (This used to be commit 98c4c3051391c6f89df5d133665f51bef66b1563)
* r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij2007-10-101-0/+1
| | | | | file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
* r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett2007-10-101-19/+10
| | | | | | | | | | | case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
* r12694: Move some headers to the directory of the subsystem they belong to.Jelmer Vernooij2007-10-101-1/+1
| | | | (This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
* r12411: Add 'net samdump keytab <keytab>'.Andrew Bartlett2007-10-101-2/+2
| | | | | | | | | | | | | | This extracts a remote windows domain into a keytab, suitable for use in ethereal for kerberos decryption. For the moment, like net samdump and net samsync, the 'password server' smb.conf option must be set to the binding string for the server. eg: password server = ncacn_np:mypdc Andrew Bartlett (This used to be commit 272013438f53bb168f74e09eb70fc96112b84772)
* r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldbAndrew Bartlett2007-10-101-6/+33
| | | | | | | | | | | | | | | backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
* r11995: A big kerberos-related update.Andrew Bartlett2007-10-101-4/+88
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
* r11401: A simple hack to have our central credentials system deny sending LMAndrew Bartlett2007-10-101-0/+3
| | | | | | | | | authentication for user@realm logins and machine account logins. This should avoid various protocol downgrade attacks. Andrew Bartlett (This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46)
* r11220: Add the ability to handle the salt prinicpal as part of theAndrew Bartlett2007-10-101-4/+9
| | | | | | | | | | credentials. This works with the setup/secrets.ldif change from the previous patch, and pretty much just re-invents the keytab. Needed for kpasswdd work. Andrew Bartlett (This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5)
generated by cgit (git 2.34.1) at 2025-09-27 10:33:14 +0000